Password Management API for Application-to-Application Password Management
(Feature available only in Premium and Enterprise Edition)
Note: This feature was deprecated from version 5.2 due to security reasons. To know more about APIs, refer to the Managing APIs document.
If you have applications in your infrastructure that require connecting to other applications using a password, they can query Password Management Pro to retrieve the password. This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).
1. How does A-to-A / A-to-DB Password Retrieval & Management Work?
The web API exposed by Password Management Pro forms the basis for A-to-A Password Management in Password Management Pro. The applications connect and interact with Password Management Pro through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to Password Management Pro corresponding to that application. Password Management Pro makes it easier for applications by providing a command line script that abstracts the complexities of using the web API. The command line scripts invoke libraries that use the web API.
2. How to setup Password Management API?
When you want an application to use the Password Management Pro web API, first you should register the application with Password Management Pro, providing specific details on the application. Password Management Pro will then create an integration toolkit containing the libraries and the command line scripts. The application can then use the toolkit to perform password operations on the Password Management Pro repository. Follow the procedure detailed below to do this:
Step 1 - Downloading API Toolkit
- Go to Admin >> General and click Password Management API.
- In the GUI that opens, click Add Application and provide details about your application. Fill-in the following details
- Click Save. Now, using the details provided by you, Password Management Pro will create a toolkit for the application.
- Click Download Toolkit and save the toolkit in the server where the application is running.
| Term | Definition |
|---|---|
Application Name |
Name of the application in which you wish to deploy A-to-A password management using Password Management Pro |
DNS Name/IP Address |
This is required to establish communication between the application and Password Management Pro |
Resource Type |
Select the operating system in which the application runs. Only those operating systems that are listed in the drop-down are supported by Password Management Pro (at present Windows & Linux are supported) |
Operations Allowed |
Select the password management operations you wish to allow for the application - Creating Passwords / Resetting Passwords / Retrieving Passwords. |
Inherit the permissions of |
You need to set the password access permissions for the application. The application cannot be allowed to manage all passwords. It has to be allotted specific passwords accessible to it. Password Management Pro already has a comprehensive, well-defined access permissions for users. The application may be permitted to inherit the same access levels of one of the users of Password Management Pro. Select the name of the user from the drop-down. |
Step 2 - Setting up Password Management Pro API in the application
As mentioned above, the application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to Password Management Pro corresponding to that application. To make these settings,
- Create SSL client certificate & private key
- Create SSL client certificate & private key.
- Configurations for PMP API
- Open a command prompt and navigate to the directory where you have installed the PMP API.
- Edit PMP_API.conf and set the absolute path of client certificate and its private key (that you created and stored as explained above) for the parameters ClientCertPath and ClientKeyPath.
Step 3 - Creating truststore in Password Manager Pro Installation
- This step is to create truststore in Password Management Pro for A-to-A / A-to-DB authentication. Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For Windows:
importCert.bat <Absolute Path of client certificate created by you>
For Linux:
importCert.sh <Absolute Path of client certificate created by you>
- Restart the Password Management Pro server.
Important Note: The client certificate & private should be compulsorily present in the application server in which you want to use A-to-A / A-to-DB password management.
3. Commands to be included in your application for automatic A-to-A / A-to-DB password management
The above steps represent the completion of Password Management Pro API installation in the application. For automatic A-to-A password management, you need to use the following commands in your application invoking the API.
3.1 For Password Retrieval
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For Windows:
PMP_API.bat RETRIEVE <Resource Name as present in PMP> <Account Name as present in PMP>
For Linux:
PMP_API.sh RETRIEVE <Resource Name as present in PMP> <Account Name as present in PMP>
Executing the above command will return the password alone.
3.2 For Resetting Password Locally
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For Windows:
PMP_API.bat RESET_LOCAL <Resource Name as present in PMP> <Account Name as present in PMP><New Password>
For Linux:
PMP_API.sh RESET_LOCAL <Resource Name as present in PMP> <Account Name as present in PMP><New Password>
3.3 For Remote Password Reset
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For Windows:
PMP_API.bat RESET_REMOTE <Resource Name as present in PMP> <Account Name as present in PMP><New Password>
For Linux:
PMP_API.sh RESET_REMOTE <Resource Name as present in PMP> <Account Name as present in PMP><New Password>
Executing the above command will try to do remote password reset. If the operation succeeds, it will change the password in Password Management Pro too and will return the message Password changed successfully. In case, remote password reset fails, it will not change the password in Password Management Pro and will return the message Password reset failed.
3.4 For Creating a New Resource & an User Account
Open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:
For Windows:
PMP_API.bat CREATE <Resource Name> <Account Name><Password>
For Linux:
PMP_API.sh CREATE <Resource Name> <Account Name><Password>
Executing the above command will create a new resource and an account in Password Management Pro. If you do not give a password for the account, Password Management Pro will automatically generate one.